GENERAL INFORMATION AND DISCLAIMER
The use of the Services offered by TRAVELPERK, S.L.U., a company duly incorporated pursuant to the laws of Spain, with registered office at Avinguda Diagonal 211, Torre Glòries, 08018, Barcelona (Spain), assigned Spanish Tax Identification Code (CIF) B-66-484.577 and recorded in the Companies Registry of Barcelona in Volume 44779, Sheet 131, sheet B-467263 (hereinafter referred to as “TravelPerk”), implies in all cases the collection of certain information about its Service users.
1. DATA PROCESSING TERMS
If you are a traveler or an administrator, the company, entity or organisation (“Your Company”) you work for or collaborate with is the controller of your personal data, with TravelPerk acting as data processor.
Your Company has given us instructions to sign you up with our platform in accordance with the profile you have been assigned.
Notwithstanding the foregoing, we inform you that, as a registered user on behalf of Your Company, your data may be used by Travel Perk to send promotional information about our products and services addressed to Your Company. Such processing is in the legitimate interest of TravelPerk, which is expressly acknowledged by the data protection regulations and is expressly authorised in the regulations on information society services. You may, now or at any other time, object to receiving commercial notices about TravelPerk’s products and services by sending an email message to firstname.lastname@example.org.
You may exercise your rights to access, rectification, erasure, portability, restriction and/or objection to the processing of your personal data at any time and free of charge by sending a notice to our Data Protection Officer at the post and email addresses specified below: TRAVELPERK, SLU, Avinguda Diagonal 211, Torre Glòries, 08018, Barcelona, Spain; or to the following email address: email@example.com.
2. DATA CONTROLLER
In cases where you contact TravelPerk to request information, make inquiries or when you contract our services, TravelPerk acts as controller of the personal data provided for such purposes.
For any query, request or clarification regarding the processing of your personal data, you may contact the email and post addresses provided as follows: TRAVELPERK, SLU, Avinguda Diagonal 211, Torre Glòries, 08018, Barcelona, Spain; or firstname.lastname@example.org.
For the purpose of rendering the services offered, TravelPerk will process the following personal data:
- Any initial data you voluntarily provide to us in your request for information on our company or our services, or your request to obtain the services offered by TravelPerk. In each form, we will clearly and precisely specify which data you must provide on a mandatory basis to proceed with the request you submit to us at any time.
- Any data that are generated or exchanged with you after your initial request in order to fulfil such initial request.
- Any personal data you provide through a social network for the purpose of managing your request. These data depend on the privacy settings of each user, the use each user makes of the social network and the own privacy policies of the social network in question.
You guarantee the authenticity and truthfulness of all data provided and must update any information provided to TravelPerk so that it matches the real and current situation at all times. You will be held liable for any false or inaccurate statement and any damages this may cause to TravelPerk or any third parties.
4. USE OF PERSONAL DATA
The personal data provided to TravelPerk will be used for the following purposes:
- Managing your request for information relating to our company or our services, or your request to obtain the services offered by TravelPerk.
- Controlling compliance with the terms and conditions of use of the Services.
- Maintaining the commercial, contractual or collaborative relationships between TravelPerk and the company, entity or organisation you work for or collaborate with.
- Sending, including by electronic means, promotional information about the products and services offered by TravelPerk similar to those included in your requests.
5. LEGAL BASIS FOR THE DATA PROCESSING
TravelPerk is authorised to process your data for the purpose of managing and processing your requests, as this is necessary for TravelPerk to fulfil its contractual obligations in relation with such requests.
The processing of your professional or corporate contact details in relation to maintaining the relationship between TravelPerk and the company, entity or organisation you work for or collaborate with responds to a legitimate interest of our company, which is expressly acknowledged by the data protection regulations.
Regarding the sending of promotional information about products and services similar in nature to those requested by you, such processing is in the legitimate interest of TravelPerk, which is expressly acknowledged by the data protection regulations and is expressly authorised in the regulations on information society services. You may, now or at any other time, object to receiving commercial notices about TravelPerk’s products and services by sending an email message to email@example.com.
6. DATA DISCLOSURES, INTERNATIONAL TRANSFERS AND AUTOMATED DECISION-MAKING
TravelPerk does not disclose data to third parties without first obtaining your consent, except where necessary to fulfil the legal and contractual obligations to which TravelPerk is subject at any time due to its nature and business and/or to comply with your request.
In this respect, TravelPerk hereby informs you that your data may be disclosed to service providers with whom TravelPerk has signed the relevant agreements pursuant to the applicable regulations.
TravelPerk uses services rendered by technology providers located in countries that do not have regulations equivalent to the European regulations. Its use of these services meets all the requirements set by the data protection regulations, with the guarantees and safeguards required to protect your privacy being applied to transfers of your data.
For more information about how your privacy is guaranteed, you may contact the Data Protection Manager through the specified post and email addresses.
TravelPerk does not adopt any decisions that could affect you in a significant manner based solely on automated processing of your data. All decision-making processes of our company related to your requests, services, queries or purchases are conducted with the involvement of a human being.
7. RETENTION PERIOD
Your personal data will be kept for as long as your relationship with TravelPerk continues. After this relationship has ended, TravelPerk will keep your data for the legal statutes of limitations applicable to each processing. In such case, the data will only be processed to demonstrate that we have fulfilled our legal or contractual obligations. Once such statutes of limitations have ended, your data will be deleted or, alternatively, anonymised.
8. SECURITY AND CONFIDENTIALITY MEASURES APPLIED TO THE DATA
TravelPerk has implemented and maintains administrative, technical and organisational measures appropriate to the kind of data it collects and subject to the terms and conditions set out in the applicable data protection regulations, for the purpose of protecting the personal information provided to TravelPerk against unauthorised or unlawful access and accidental loss, damage, alteration or destruction of data. Only authorised staff may access the personal information and they may only do so for the permitted business purposes. Notwithstanding the foregoing, criminal acts may be committed by third parties even where TravelPerk uses all the means at its disposal to prevent such acts.
Despite this, your are responsible for suitably protecting any codes and passwords provided for access and prevent them from being used or accessed by unauthorised third parties. TravelPerk cannot be held liable for any inappropriate use of the user name and password carried out by any user.
9. YOUR RIGHTS
You may exercise your rights to withdraw any consent you granted, to access, rectification, erasure, portability, restriction and/or objection to the processing of your personal data at any time and free of charge by sending a notice to our Data Protection Manager at the post and email addresses specified below: TRAVELPERK, SLU, Avinguda Diagonal 211, Torre Glòries, 08018, Barcelona, Spain; or to the following email address: firstname.lastname@example.org.
Further, should you consider that the processing infringes the data protection regulation or your rights, you may submit a complaint with our Data Protection Manager at the postal and electronic addresses indicated or with the Spanish Data Protection Agency through its website or at its post address.
10. OUR PRIVACY COMMITMENTS
Where TravelPerk processes personal data on behalf of the customer for the provision of the Services, we undertake the following confidentiality and data processing commitments:
- In order to provide the Services, TravelPerk will collect, among others, corporate information of the customer and its employees, such as the name, surname, e-mail address, password, phone number, payment data, identification documents and other professional and personal data from the customer and its employees.
- The terms of this Section are to apply to all data processing carried out for the customer (for the purposes of this section, the “Data Controller”) or any of its subsidiary companies by TravelPerk (for the purposes of this section, the “Data Processor”) and to all personal data transferred by the Data Controller to the Data Processor. The terms of this Section shall supersede any previous arrangement, understanding or agreement between the Data Controller and the Data Processor relating to data protection, and shall continue in force until the termination of the Services rendered by the Data Processor.
- The Data Processor will process personal data received from the Data Controller, in particular the personal data set forth in Clause 1 above, only on the express instructions of designated contacts at the Data Controller, which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor.
- Notwithstanding the aforementioned, the Data Controller expressly authorises the Data Processor to use the personal data in order to proceed with the bookings, reservations and any modifications, confirmations, cancellations of the travel services to be provided. In this concern, the personal data may also be accessed by the providers of the travel services, included, but not limited to, airline companies, train operators, rental car agencies, accommodation providers, others travel agents and any other person that may need the data to provide the travel services requested by the Data Controller.
- TravelPerk is entitled by law to send to the customer, including by electronic means, promotional communications related to the products and services offered by TravelPerk similar to those contracted by the customer without the latter’s prior consent. Recipients of these communications will receive them as registered users of TravelPerk’s platform on behalf of the customer (“Registered Users”). Registered Users may opt-out from receiving promotional communications at any time by clicking on the unsubscribe link contained within the communication or by sending an email to the following address: email@example.com. Registered Users may also exercise their rights of access, correction, suppression, opposition, portability and limitation by sending a request to firstname.lastname@example.org or to our address at Avinguda Diagonal 211, Torre Glòries, 08018, Barcelona (Spain).
- The Data Processor shall transfer all personal data to the Data Controller on the Data Controller’s request in the formats, at the times and in compliance with specifications set out in the requirements notified in writing by the Data Controller to the Data Processor from time to time.
- The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Section are satisfactorily performed in accordance with all applicable legislation from time to time in force.
Where the Data Processor processes personal data (whether stored in the form of physical or electronic records) on behalf of the Data Controller it shall:
a) Process the personal data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as is required by law or any regulatory body;
b) According to article 32 of the European Regulation 2016/679 (“GDPR”) of 27 April 2016, implement appropriate technical and organisational measures and take all steps necessary to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested from the Data Controller;
d) If so requested by the Data Controller (and within the timescales required by the Data Controller) supply details of the technical and organisational systems in place to safeguard the security of the personal data held and to prevent unauthorised access;
e) Upon reasonable prior notice, permit persons authorised by the Data Controller to enter into any premises on which personal data provided by the Data Controller to the Data Processor is processed and to inspect the Data Processor’s systems to ensure that sufficient security measures are in place;
f) Not process personal data outside the European Economic Area unless it is necessary for the performance of a contract concluded in the interest of the data subject or unless conditions under paragraph g) below are met;
g) Without prejudice of Clause 5 above, Data Controller authorizes the Data Processor to use another data processor (hereinafter, the “Sub-processors”), whose identification data and subcontracted services must be communicated to the Data Controller, prior to the provision of the service.
- Before hiring TravelPerk services the Data Controller shall send an email to email@example.com if it wishes to obtain a complete list of the Sub-processors prior to engagement.
By hiring the services, the Data Controller consents and authorizes the Data Processor the engagement of the Sub-processors included in the mentioned list at that time;
- The Data Processor will also inform the Data Controller of any change envisaged in the incorporation or substitution of the Sub-processors, giving thus to the Data Controller the opportunity to object such changes. The Data Controller shall subscribe to receive notifications on new Sub-processors and other data protection matters by filling in this form or by any other mechanism the Data Processor communicates to the Data Controller from time to time.
- The Data Processor is obliged to transfer and communicate to the Sub-processors the whole obligations that for the Data Processor derive from this Section and, in particular, the provision of enough guarantees that it will apply appropriate technical and organisational measures, so that the processing complies with the applicable regulations.
In any case, access to the data made by natural persons who render their services to the Data Processor, acting within the organisational framework of the latter by virtue of a commercial and non-labour relationship, is authorised. In addition, access to the data is granted to companies and professionals that the Data Processor has hired in his internal organisational framework in order to provide general or maintenance services (computer services, consulting, audits, etc.). In any case, section g) III above shall apply.
In the event that the Sub-processor provides services from countries that do not have data protection regulations equivalent to the European (“Third Countries”), the Data Processor undertakes to:
- Inform the Data Controller of said circumstance, and, if applicable, collaborate with the Data Controller who seeks the authorisation to carry out the corresponding international data transfer to a Third Country, before such international data transfer takes place; and
- To establish as many safeguards as are required by European regulations for the protection of personal data regarding international transfers of data to Third Countries (such us signing agreements with third-country data importers based on the Model Clauses approved by the authorities of the European Union).
h) Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
i) Assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Data Processor;
j) Taking into account the nature of the processing, assists the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights;
k) Make available to the Data Controller all information reasonably necessary to demonstrate compliance with the obligations TravelPerk has as Data Processor and inform the Data Controller if, in the Data Processor’s opinion, an instruction given by the Data Controller infringes GDPR;
l) Notify the Data Controller without undue delay after becoming aware of a personal data breach and provide, to the extent possible, the information required by art. 33.3 GDPR.
- Before hiring TravelPerk services the Data Controller shall send an email to firstname.lastname@example.org if it wishes to obtain a complete list of the Sub-processors prior to engagement.
- The maximum total liability for direct damages that may be caused to the customer due to breach of the obligations of this Section or for any other cause, will be limited to an amount of 20,000 Euros. TravelPerk will not be liable to the customer for indirect damages, such as for loss of profit or business, due to breach of the obligations of this Section or for any other cause.
- The Data Processor agrees that in the event it is notified by the Data Controller that it is not required to provide any further services, the Data Processor shall, at the Data Controller’s choice, return a copy of all personal data held by it in relation to this Section to the Data Controller or destroy all such personal data using a secure method which ensures that it cannot be accessed by any third party (and shall issue the Data Controller with a written confirmation of secure disposal), unless data protection applicable law requires the storage of a copy of personal data.
- The Data Processor accepts the obligations in this Section in consideration of the Data Controller using its services.
Corporate contact details exchanged between the Data Controller and the Data Processor to enable the provision of the Services will be treated by the other party in order to allow the development, compliance and control of the agreed provision of the Services, being the basis of the processing the fulfilment of the contractual relationship while this relationship subsists and after its termination, until the eventual responsibilities prescribe.
- The terms of this Section shall be governed by the Spanish and European regulations in terms of Personal Data Protection, as well as by the resolutions and guidelines of the Spanish Data Protection Agency and other competent bodies in this matter. In order to resolve any discrepancy regarding the interpretation and/or the enforcement of the provisions of this Section, the Data Controller and the Data Processor submit to the jurisdiction of the Courts and Tribunals of Spain with express waiver of any other legislation or jurisdiction that may correspond.
APPENDIX 1: SECURITY MEASURES TO BE ADOPTED BY THE DATA PROCESSOR
S1. The Data Processor will ensure that in respect of all personal data it receives from or processes on behalf of the Data Controller it maintains standard security measures related to:
S1.1. the harm that might result from unlawful or unauthorised processing or accidental loss, damage or destruction of the personal data;
S1.2. the nature of the personal data;
S2. In particular, the Data Processor shall, when mandatory according to the applicable data protection law:
S2.1. have in place and comply with a security policy which:
S2.1.1. defines security needs based on a risk assessment;
S2.1.2. allocates responsibility for implementing the policy to a specific individual or members of a team;
S2.1.3. is provided to the Data Controller on or before the commencement of the corresponding service agreement;
S2.1.4. is disseminated to all relevant members, volunteers and staff; and
S2.1.5. provides a mechanism for feedback and review.
S2.2. ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the personal data in accordance with best industry practice;
S2.3. prevent unauthorised access to the personal data;
S2.4. ensure its storage of personal data conforms with best industry practice such that the media on which personal data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to personal data is strictly monitored and controlled;
S2.5. have secure methods in place for the transfer of personal data whether in physical form (for instance, by using couriers rather than post) or electronic form (for instance, by using encryption);
S2.6. put password protection on computer systems on which personal data is stored and ensure that only authorised personnel are given details of the password;
S2.7. take reasonable steps to ensure the reliability of any members, volunteers and employees or other individuals who have access to the personal data;
S2.9. ensure that none of the employees or other individuals who have access to the personal data publish, disclose or divulge any of the personal data to any third party unless when strictly necessary for the provision of the Services or directed in writing to do so by the Data Controller;
S2.10. have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of personal data) including:
S2.10.1. the ability to identify which individuals have worked with specific personal data;
S2.10.2. having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the GDPR; and
S2.10.3. notifying the Data Controller as soon as any such security breach occurs.
S2.11. have a secure procedure for backing up and storing back-ups separately from originals;
S2.12. have a secure method of disposal unwanted personal data including for back-ups, disks, print outs and redundant equipment.
APPENDIX 2: DATA PROCESSING INFORMATION
Categories of data subjects:
The personal data transferred concern the following categories of data subjects:
- Employees of the Customer, Registered Users
Categories of data:
The personal data transferred concern the following categories of data:
- Identifying information, such as name, ID number, contact details, date of birth, address history, country of residence, nationality, citizenship.
- Travel affiliation cards.
- Special meals, special necessities.
- Means of payment.
Special categories of data:
The personal data that might be transferred do not concern special categories of data.
The personal data that might be transferred will be subjected to the basic processing activity of providing the travel services.
Duration of Processing:
The personal data shall be processed for the term of the contractual relationship between TravelPerk and the customer, and after the end of this relationship for any reason, for the statutory periods of limitation applicable in each case. Afterthese statutory periods of limitation, the personal data shall be deleted or alternatively anonymized.